Index: sys/kern/uipc_socket2.c
===================================================================
RCS file: /mount/openbsd/cvs/src/sys/kern/uipc_socket2.c,v
diff -u -p -u -p -r1.165 uipc_socket2.c
--- sys/kern/uipc_socket2.c	16 Jan 2025 16:35:01 -0000	1.165
+++ sys/kern/uipc_socket2.c	21 Jan 2025 16:51:58 -0000
@@ -245,8 +245,6 @@ sonewconn(struct socket *head, int conns
 		wakeup(&head->so_timeo);
 	}
 
-	sounlock_nonet(so);
-
 	return (so);
 
 fail:
Index: sys/kern/uipc_usrreq.c
===================================================================
RCS file: /mount/openbsd/cvs/src/sys/kern/uipc_usrreq.c,v
diff -u -p -u -p -r1.212 uipc_usrreq.c
--- sys/kern/uipc_usrreq.c	1 Jan 2025 13:44:22 -0000	1.212
+++ sys/kern/uipc_usrreq.c	21 Jan 2025 16:51:58 -0000
@@ -890,18 +890,17 @@ unp_connect(struct socket *so, struct mb
 
 		if ((so2->so_options & SO_ACCEPTCONN) == 0 ||
 		    (so3 = sonewconn(so2, 0, M_WAIT)) == NULL) {
+			sounlock(so2);
 			error = ECONNREFUSED;
-		}
-
-		sounlock(so2);
-
-		if (error != 0)
 			goto put;
+		}
 
 		/*
 		 * Since `so2' is protected by vnode(9) lock, `so3'
 		 * can't be PRU_ABORT'ed here.
 		 */
+		sounlock(so2);
+		sounlock(so3);
 		solock_pair(so, so3);
 
 		unp2 = sotounpcb(so2);
Index: sys/netinet/tcp_input.c
===================================================================
RCS file: /mount/openbsd/cvs/src/sys/netinet/tcp_input.c,v
diff -u -p -u -p -r1.423 tcp_input.c
--- sys/netinet/tcp_input.c	16 Jan 2025 11:59:20 -0000	1.423
+++ sys/netinet/tcp_input.c	21 Jan 2025 16:51:58 -0000
@@ -604,6 +604,11 @@ findpcb:
 		tcpstat_inc(tcps_noport);
 		goto dropwithreset_ratelim;
 	}
+	so = in_pcbsolock_ref(inp);
+	if (so == NULL) {
+		tcpstat_inc(tcps_noport);
+		goto dropwithreset_ratelim;
+	}
 
 	KASSERT(sotoinpcb(inp->inp_socket) == inp);
 	KASSERT(intotcpcb(inp) == NULL || intotcpcb(inp)->t_inpcb == inp);
@@ -636,7 +641,6 @@ findpcb:
 	else
 		tiwin = th->th_win;
 
-	so = inp->inp_socket;
 	if (so->so_options & (SO_DEBUG|SO_ACCEPTCONN)) {
 		union syn_cache_sa src;
 		union syn_cache_sa dst;
@@ -725,6 +729,7 @@ findpcb:
 					 * in use for the reply,
 					 * do not free it.
 					 */
+					so = NULL;
 					m = *mp = NULL;
 					goto drop;
 				} else {
@@ -732,13 +737,11 @@ findpcb:
 					 * We have created a
 					 * full-blown connection.
 					 */
-					tp = NULL;
 					in_pcbunref(inp);
 					inp = in_pcbref(sotoinpcb(so));
 					tp = intotcpcb(inp);
 					if (tp == NULL)
 						goto badsyn;	/*XXX*/
-
 				}
 				break;
 
@@ -844,6 +847,7 @@ findpcb:
 					tcpstat_inc(tcps_dropsyn);
 					goto drop;
 				}
+				in_pcbsounlock_rele(inp, so);
 				in_pcbunref(inp);
 				return IPPROTO_DONE;
 			}
@@ -1019,6 +1023,7 @@ findpcb:
 				if (so->so_snd.sb_cc ||
 				    tp->t_flags & TF_NEEDOUTPUT)
 					(void) tcp_output(tp);
+				in_pcbsounlock_rele(inp, so);
 				in_pcbunref(inp);
 				return IPPROTO_DONE;
 			}
@@ -1069,6 +1074,7 @@ findpcb:
 			tp->t_flags &= ~TF_BLOCKOUTPUT;
 			if (tp->t_flags & (TF_ACKNOW|TF_NEEDOUTPUT))
 				(void) tcp_output(tp);
+			in_pcbsounlock_rele(inp, so);
 			in_pcbunref(inp);
 			return IPPROTO_DONE;
 		}
@@ -1262,6 +1268,8 @@ trimthenstep6:
 			    ((arc4random() & 0x7fffffff) | 0x8000);
 			reuse = &iss;
 			tp = tcp_close(tp);
+			in_pcbsounlock_rele(inp, so);
+			so = NULL;
 			in_pcbunref(inp);
 			inp = NULL;
 			goto findpcb;
@@ -2066,6 +2074,7 @@ dodata:							/* XXX */
 	 */
 	if (tp->t_flags & (TF_ACKNOW|TF_NEEDOUTPUT))
 		(void) tcp_output(tp);
+	in_pcbsounlock_rele(inp, so);
 	in_pcbunref(inp);
 	return IPPROTO_DONE;
 
@@ -2095,6 +2104,7 @@ dropafterack:
 	m_freem(m);
 	tp->t_flags |= TF_ACKNOW;
 	(void) tcp_output(tp);
+	in_pcbsounlock_rele(inp, so);
 	in_pcbunref(inp);
 	return IPPROTO_DONE;
 
@@ -2130,6 +2140,7 @@ dropwithreset:
 		    (tcp_seq)0, TH_RST|TH_ACK, m->m_pkthdr.ph_rtableid, now);
 	}
 	m_freem(m);
+	in_pcbsounlock_rele(inp, so);
 	in_pcbunref(inp);
 	return IPPROTO_DONE;
 
@@ -2141,6 +2152,7 @@ drop:
 		tcp_trace(TA_DROP, ostate, tp, otp, &saveti.caddr, 0, tlen);
 
 	m_freem(m);
+	in_pcbsounlock_rele(inp, so);
 	in_pcbunref(inp);
 	return IPPROTO_DONE;
 }
@@ -3535,15 +3547,18 @@ syn_cache_get(struct sockaddr *src, stru
 	struct inpcb *inp, *oldinp;
 	struct tcpcb *tp = NULL;
 	struct mbuf *am;
-	struct socket *oso;
+	struct socket *oldso;
 	u_int rtableid;
 
 	NET_ASSERT_LOCKED();
 
+	inp = sotoinpcb(so);
+
 	mtx_enter(&syn_cache_mtx);
 	sc = syn_cache_lookup(src, dst, &scp, sotoinpcb(so)->inp_rtableid);
 	if (sc == NULL) {
 		mtx_leave(&syn_cache_mtx);
+		in_pcbsounlock_rele(inp, so);
 		return (NULL);
 	}
 
@@ -3557,6 +3572,7 @@ syn_cache_get(struct sockaddr *src, stru
 		refcnt_take(&sc->sc_refcnt);
 		mtx_leave(&syn_cache_mtx);
 		(void) syn_cache_respond(sc, m, now, do_ecn);
+		in_pcbsounlock_rele(inp, so);
 		syn_cache_put(sc);
 		return ((struct socket *)(-1));
 	}
@@ -3571,12 +3587,13 @@ syn_cache_get(struct sockaddr *src, stru
 	 * connection when the SYN arrived.  If we can't create
 	 * the connection, abort it.
 	 */
-	oso = so;
+	oldso = so;
+	oldinp = inp;
 	so = sonewconn(so, SS_ISCONNECTED, M_DONTWAIT);
 	if (so == NULL)
 		goto resetandabort;
-
-	oldinp = sotoinpcb(oso);
+	soassertlocked(so);
+	soref(so);
 	inp = sotoinpcb(so);
 
 #ifdef IPSEC
@@ -3637,7 +3654,7 @@ syn_cache_get(struct sockaddr *src, stru
 	(void) m_free(am);
 
 	tp = intotcpcb(inp);
-	tp->t_flags = sototcpcb(oso)->t_flags & (TF_NOPUSH|TF_NODELAY);
+	tp->t_flags = sototcpcb(oldso)->t_flags & (TF_NOPUSH|TF_NODELAY);
 	if (sc->sc_request_r_scale != 15) {
 		tp->requested_s_scale = sc->sc_requested_s_scale;
 		tp->request_r_scale = sc->sc_request_r_scale;
@@ -3649,6 +3666,7 @@ syn_cache_get(struct sockaddr *src, stru
 	tp->t_template = tcp_template(tp);
 	if (tp->t_template == 0) {
 		tp = tcp_drop(tp, ENOBUFS);	/* destroys socket */
+		in_pcbsounlock_rele(inp, so);
 		so = NULL;
 		goto abort;
 	}
@@ -3700,8 +3718,9 @@ syn_cache_get(struct sockaddr *src, stru
 		tp->rcv_adv = tp->rcv_nxt + sc->sc_win;
 	tp->last_ack_sent = tp->rcv_nxt;
 
-	tcpstat_inc(tcps_sc_completed);
+	in_pcbsounlock_rele(oldinp, oldso);
 	syn_cache_put(sc);
+	tcpstat_inc(tcps_sc_completed);
 	return (so);
 
 resetandabort:
@@ -3711,6 +3730,8 @@ abort:
 	m_freem(m);
 	if (so != NULL)
 		soabort(so);
+	in_pcbsounlock_rele(inp, so);
+	in_pcbsounlock_rele(oldinp, oldso);
 	syn_cache_put(sc);
 	tcpstat_inc(tcps_sc_aborted);
 	return ((struct socket *)(-1));
@@ -3744,8 +3765,8 @@ syn_cache_reset(struct sockaddr *src, st
 	}
 	syn_cache_rm(sc);
 	mtx_leave(&syn_cache_mtx);
-	tcpstat_inc(tcps_sc_reset);
 	syn_cache_put(sc);
+	tcpstat_inc(tcps_sc_reset);
 }
 
 void
@@ -3785,8 +3806,8 @@ syn_cache_unreach(const struct sockaddr 
 
 	syn_cache_rm(sc);
 	mtx_leave(&syn_cache_mtx);
-	tcpstat_inc(tcps_sc_unreach);
 	syn_cache_put(sc);
+	tcpstat_inc(tcps_sc_unreach);
 }
 
 /*
@@ -3814,7 +3835,7 @@ syn_cache_add(struct sockaddr *src, stru
 	struct syn_cache_head *scp;
 	struct mbuf *ipopts;
 
-	NET_ASSERT_LOCKED();
+	soassertlocked(so);
 
 	tp = sototcpcb(so);
 
@@ -3972,9 +3993,8 @@ syn_cache_add(struct sockaddr *src, stru
 	if (syn_cache_respond(sc, m, now, do_ecn) == 0) {
 		mtx_enter(&syn_cache_mtx);
 		/*
-		 * XXXSMP Currently exclusive netlock prevents another insert
-		 * after our syn_cache_lookup() and before syn_cache_insert().
-		 * Double insert should be handled and not rely on netlock.
+		 * Socket lock prevents another insert after our
+		 * syn_cache_lookup() and before syn_cache_insert().
 		 */
 		syn_cache_insert(sc, tp);
 		mtx_leave(&syn_cache_mtx);